Le 


After reading this chapter and completing 
the exercises, you will be able to: 


Explain how unethical computer hacking is a crime 


Identify the various groups and classes of hackers and crackers 
Identify the various things that motivate hackers and crackers 
Explain differences ‘n information security industry certifications 
Describe the origin and evolution of computer hacking 
Recognize the important Issues related to ethical hacking 
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trend today is toward prompt prosecution and harsher sentencing for those caught 
compromising machines owned by others. Due to the growth of computer cracking, many 
companies are now hiring more employees with hacking skills who can identify crackers and 
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There are distinct groups of hackers; however, the membership is not limited to a single 
croup, nor is there a consistent membership within groups over time. There are two common 
ways to categorize the broader groups of hackers: 


e As White Hat (good hackers) or Black Hat (bad hackers) 


e Through psychological profiling, which seeks to understand the motivations of hackers 


Hat Categories 

The White Hat/Black Hat model is derived from old Westerns in which the “good guys” 
always wore white hats and the “bad guys” always wore black hats. The assumption is that 
everything the good guys do is right, legal, and justified, whereas everything the bad guys do 
is wrong, illegal, and debased. As is often true in life, this model oversimplifies reality but 
helps frame discussions among those who feel strongly about the importance of ethical 
behavior in the information security industry. Many information security professionals 
strongly feel that crackers have violated professional ethics and are, essentially, disqualified 
from participation in the industry. Others make allowances for youthful indiscretions. And 
some even admire and pursue crackers as possible employees under the belief that they are 
in a better position to “know thine enemy.” Whatever one believes, the idea that there is a 
distinction between legal and illegal, between ethical and unethical, is at the root of how 


hackers and crackers are classified and categorized. 


Figure 1-1 presents the range of what motivates White Hat/Black Hat hackers/crackers. 
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Figure 1-1 White Hat/Black Hat model 
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Hacker Profiling 

Hacking—like criminalistic forensics or martial arts—requires the practitioner to be inti- 
mately familiar with the techniques of one’s opponent. To be successful as an ethical hacker 
and network security expert, a person must know not only how to protect a network but 
what and whom to protect the network from. The reading material and techniques used by 
ethical hackers and unethical hackers are identical; what distinguishes the two groups from 
each other is simply the permission of the network owner and the choice of whether to 
defend or attack. Figure 1-2 presents a list of hacker profiles that was developed by former 
police detective and computer forensics expert Marcus Rogers.° Despite the popular percep- 
tion of a hacker as an antisocial teenager, hackers are not a monolithic group; they represent 
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Figure 1-2 Hacker profiles 
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Information security certifications it 


the Certified Information Systems security Professional (CISSP) and the ¢ 
Security Manager (CISM) certifications, which are sponsored * the ISC 
zations, respectively, Organizations such as SANS (System Administer: 
Security) Institute and the EC-Council promote m a 
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Hacker Motivations 


Regardless of their profiles, knowled 


ge, or skills, hackers are often motivated by a combina- 
tion of the following: 


¢ Curiosity 
¢ Love of puzzles 


e Desire for recognition or fame 


e Revenge 
¢ Financial gain 


¢ Patriotism or politics 


Curiosity Perhaps the strongest motivation is curiosity: “What happens when I do this?” 
or “How do these security measures work?” We are trained from childhood to be curious, 
open, and sharing. Crackers direct their innate curiosity toward finding the blind spots in 
the network systems we build. 


Love of Puzzles Hackers gain great satisfaction in finding the solutions to complicated 
puzzles. A hacker has to control many variables and master many techniques to successfully 
crack systems. These same challenges motivate locksmiths and cat burglars in the physical 
security realm. Strong passwords, such as “Tr34$>1 drU,”(tr), can be devised that block most 
attack attempts, and locks can be keyed with “024642” pin combinations that are almost 
unpickable. Think how much fun it is to figure out how to solve these difficult puzzles! 


Desire for Recognition or Fame Almost all hackers are motivated by a need for 
acceptance, acknowledgment, and fame—at least among their peers. It takes a person of 
average intelligence and skill many years to become even a poor hacker. Expertise in the 
field is rare and marvelous in ways not necessarily understood by those outside the field. 
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Revenge People who feel that they were wronged, or that their cause of group Was 
wronged, can easily talk themselves into performing unethical acts by using the simplistic Notion 
that a badly behaved person, business, or government deserves to be treated as poorly AS possi. 
ble. It is the cracker’s way of getting even. Groups such as Anonymous, an international and 
loosely aligned group of crackers that engaged in a number of high visibility attacks against 
political targets in 2011, have heightened the public’s awareness of th 
cyber-attack following events that these groups mi 
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Most professions have ethical codes that bind their members into 
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the ethical hacker from the unethical cracker will help the network security profession pres- mg 


ent to the world the benefits that it brings to society. 


Evolution of Hacking 


In the 1940s, universities, government, and large businesses started using computers, but few 
people knew about them. There were no computer science students. Most of the profes- 
sionals who worked with computers used them to solve complicated mathematics problems. 
The modern concept of hacking began in the late 1950s, when students at the Massachusetts 
Institute of Technology (MIT) started using their access to the IBM mainframe housed at 
MIT to work on new programming languages and other experiments outside of their regular 
classes. This was not antisocial or illegal behavior, but the students, while developing their 


skills, became a community of hackers as well. In the 1950s, “hacker” was a word for a hob- 
byist in any technical area. 


The students used their unsupervised computer time to experiment, to find new ways of solv- 
ing problems, and to invent applications that did things in a new computerized way. These 
early hackers had no malicious intent. They simply believed that there was always room for 
improvement. And so, when a new, simpler, more elegant solution was found, it was pub- 
lished widely and tested by many. There was little predefined structure to the experimentation. 
Many of the students took as much pride in their collaborative solutions as they did in their 
individual achievements. Given the open access and freedom they had, many of them indulged 
in programmed pranks or discovered ways to access others’ personal files to edit their code. 
But these pranks were published just as widely as the more socially acceptable results. 


The first password hacks were a response to the Compatible Time Sharing System (CTSS), 
which was developed in the early 1960s and first loaded onto an IBM mainframe, again at 
MIT. This application enabled the safe sharing of computer time by different users so that 
all the processor’s cycles were used and there was no idle time. Usernames and logons kept 
people from anonymously accessing the computer, but this flew in the face of the freedoms 


that students had previously enjoyed. Some responded by trying to guess usernames and 
passwords. Finally, they broke into the CTSS system. 


In the 1970s, a new sort of hacker, the phone phreak, appeared. Phone phreaks used various 
methods, collectively called phreaking, to access telephone networks in order to make free 
calls from pay phones. Eventually, they began combining traditional phreaking tools with 
computer programming languages. One popular phreaking program was Blue Beep. It 
works with MS-DOS and shell prompts of Windows, using PASCAL and other assembly 


languages. Its features include creating digital tones, controlling trunk lines, and scanning 
telephone exchanges. 


In the 1980s, phreaks discovered that any server with a modem could potentially be entered. 
War dialers were developed to search for open modems. Once a hacker gained access to one 
server, it was often possible to access another server through the dedicated lines the servers 


shared. This was one way to access the fledgling Internet and its precursors—i.e., the bulletin 
boards run by CompuServe and AOL. 


As personal computer prices dropped and users became more common, hacker communities 
(<4 Mf b) 

grew, too, and the term “hacking” started to take on a new connotation. Hackers were no 

longer just young, socially inept males with an insatiable curiosity about computers. They 
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There is an ongoing philosophical discussion as to whether free access to information is more 
or teas important than a creator’s right to protect his or her creations. This is the same sort of 
debate as the one over the regulations that govern the distribution and modification of written 
works. There are those who feel that proprietary software is a form of elitism that inhibrts 
progress. The argument is that every person has the right to hear, read, see, or learn anything 
that is available. On the other hand, proponents of strong intellectual property rights arzue 
that there would be no creation at all if there was not some method of ensuring remuneration 
for reproduction of that intellectual property. Regardless of the personal opinions a hacker 
may hold with regard to intellectual property issues, as a member of the information security 
industry, there is an obligation to the organization to uphold and enforce existing laws. 


Professional hackers have a responsibility to society that is hard to ignore. Their activities 
should help to build and improve upon existing technology. Accessing information in a 
quest for knowledge is valuable, but a hacker’s right to free information ought not to infringe 
on others’ rights to their own space and property. It is the responsibility of ethical hackers to 
ensure that their activities cause no harm to the confidentiality and integrity of information. 
They should use their skills and interests as opportunities to learn and teach. Hackers can 
use their intelligence and experience to invent new solutions that help the overall! develop- 
ment of technology. 


An ethical hacker is a security professional who applies his or her hacking skills for detensive 
purposes. This person accesses a computer system or network with the authorzanon of the 
system’s owner and without causing damage to the system. Hackers who are conscious of 
other people’s rights are assets to the IT field. (On the other hand, hackers who act with 
malicious intent harm the profession, but at the same tume they help security protessionals 
see where their networks are vulnerable.) It is possible for hackers to gain access fo sensitive 
and controversial data while they are engaged in the acuvity of ethical hacking. W hat that 
hacker does with that data reflects on the entire industry. The very cornerstone of susuess 
for ethical hackers rests on trust. Violations of that trust by tailing to act honorably and eth 


cally come with significant consequences. 
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part of a defensive strategy, organizations may want to hire external ner proressional 
to try to hack their systems. They can derive further benefits from hiring “ ica ' ackers ¢, 
perform security audits, which provide solutions as well as identify potential problems, 


Ethical hackers work to protect all IT areas—Web servers and shared printers as well ', 
e-mail from end to end. The widespread adoption of smartphones, tablets, and other mobil, 
devices as well as the move to the “cloud” are only the most recent additions to the infor. 
mation assets that organizations are responsible for. These organizations have also adopted 
social media and technically integrated Enterprise Resource Planning (ERP) systems that 
have blurred the boundaries of the traditional internal network, which has only increased 
the importance of the work of professional ethical hackers. Hackers must have experience 
In software engineering, network engineering, and system security. They must strive to 
increase their knowledge of tools and techniques to protect their networks and to check for 
forensics evidence when those networks are attacked. 
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hapter Summary 


= Computer cracking is illegally hacking into a computer system without the permission of 
the system’s owner. 


m Hackers are commonly classified in two groups: White Hat. or “ ; 
. ’ good and ' : 
ers, and Black Hat, or “bad” and malicious hackers. nd ethical hack 


m The eight major profiles of hackers include novices, cyber-punks, internals, old d 
hackers, coders, professional criminals, information warriors (aka cyber-tetror; . 
hacktivists. ists), and 


@ Ethical hackers and unethical hackers use the same reading materials and techn; 
what distinguishes between the two groups is simply the permission of the wo 
owner and the choice of whether to defend or attack. Work 


m Hackers may be motivated by a love of difficult challenges, curiosity, a desire f 
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